Edit tour
Windows
Analysis Report
DMv89K955Y.exe
Overview
General Information
| Sample name: | DMv89K955Y.exerenamed because original name is a hash value |
| Original sample name: | 26d8d52bac8f4615861f39e118efa28d.exe |
| Analysis ID: | 1546941 |
| MD5: | 26d8d52bac8f4615861f39e118efa28d |
| SHA1: | efd5a7ccd128ffe280af75ec8b3e465c989d9e35 |
| SHA256: | 8521a1f4d523a2a9e7f8ddf01147e65e7f3ff54b268e9b40f91e07dc01fa148f |
| Tags: | 32exetrojan |
| Infos: |   |
 | |
Detection
LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected Clipboard Hijacker
Yara detected Cryptbot
Yara detected LummaC Stealer
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Browser Started with Remote Debugging
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
DMv89K955Y.exe (PID: 4884 cmdline: "C:\Users\ user\Deskt op\DMv89K9 55Y.exe" MD5: 26D8D52BAC8F4615861F39E118EFA28D) - RegAsm.exe (PID: 5764 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - RegAsm.exe (PID: 988 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - c.exe (PID: 7032 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\100006 00101\c.ex e" MD5: 4936C0448E4102EF927A39DBF8091A28) 
conhost.exe (PID: 640 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - c.exe (PID: 6892 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\100006 00101\c.ex e" MD5: 4936C0448E4102EF927A39DBF8091A28) 
WerFault.exe (PID: 7012 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 032 -s 272 MD5: C31336C1EFC2CCB44B4326EA793040F2) - 5.exe (PID: 6360 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\100006 10101\5.ex e" MD5: FACECD9A8C5218A49469DF1C3756D5F9) 
chrome.exe (PID: 5096 cmdline: "C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --re mote-debug ging-port= 9222 --pro file-direc tory="Defa ult" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92) - chrome.exe (PID: 4992 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2504 --fi eld-trial- handle=238 8,i,150138 2774470618 6800,13121 2076764912 78986,2621 44 /prefet ch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92) - service123.exe (PID: 352 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\servic e123.exe" MD5: B66A61DD0EFDB3AD15CE2756930C2003) - schtasks.exe (PID: 940 cmdline:
"C:\Window s\System32 \schtasks. exe" /crea te /tn "Se rviceData4 " /tr "C:\ Users\user \AppData\L ocal\Temp\ /service12 3.exe" /st 00:01 /du 9800:59 / sc once /r i 1 /f MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 3908 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WerFault.exe (PID: 5588 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 360 -s 536 MD5: C31336C1EFC2CCB44B4326EA793040F2) 
449e940ceb.exe (PID: 3360 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\100006 30101\449e 940ceb.exe " MD5: 39683F5EFD3B4C5C87C9105789937C4F) - InstallUtil.exe (PID: 5828 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Ins tallUtil.e xe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
- Application.exe (PID: 6980 cmdline:
"C:\Progra mData\LgAm ARwZ\Appli cation.exe " MD5: 26D8D52BAC8F4615861F39E118EFA28D) - RegAsm.exe (PID: 2524 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
- Application.exe (PID: 6228 cmdline:
"C:\Progra mData\yIVK iWQb\Appli cation.exe " MD5: 39683F5EFD3B4C5C87C9105789937C4F) - InstallUtil.exe (PID: 6556 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Ins tallUtil.e xe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
- service123.exe (PID: 3184 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\/servic e123.exe MD5: B66A61DD0EFDB3AD15CE2756930C2003)
- service123.exe (PID: 4508 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\/servic e123.exe MD5: B66A61DD0EFDB3AD15CE2756930C2003)
- service123.exe (PID: 2736 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\/servic e123.exe MD5: B66A61DD0EFDB3AD15CE2756930C2003)
- service123.exe (PID: 2728 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\/servic e123.exe MD5: B66A61DD0EFDB3AD15CE2756930C2003)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| CryptBot | A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2. | No Attribution |
{"C2 url": ["servicedny.site", "authorisev.site", "seallysl.site", "contemteny.site", "faulteyotk.site", "opposezmny.site", "goalyfeastz.site", "dilemmadu.site"], "Build id": "LD4nST--Exodus"}{"C2 list": ["%gPfivejo5vt.top", "0.0.fivejo5vt.top", "0/80/fivejo5vt.top", "CTR-DRBG.top", "fivejo5vt.top", "QUERY|rd|AAAA|IN|fivejo5vt.top", "analforeverlovyu.top"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_Cryptbot | Yara detected Cryptbot | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_Cryptbot | Yara detected Cryptbot | Joe Security | ||
| Click to see the 9 entries | ||||
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
Data Obfuscation | |
|---|
| Source: | Author: Joe Security: | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 14_2_0041D5AF | |
| Source: | Code function: | 30_2_007615B0 | |
| Source: | Binary or memory string: | memstr_646535c9-c | |
| Source: | Static PE information: | ||
| Source: | Code function: | 8_2_005262C7 | |
| Source: | Code function: | 8_2_00526378 | |
| Source: | Code function: | 13_2_0043F371 | |
| Source: | Code function: | 14_2_005262C7 | |
| Source: | Code function: | 14_2_00526378 | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Code function: | 14_2_00410130 | |
| Source: | Code function: | 14_2_00410130 | |
| Source: | Code function: | 14_2_00410130 | |
| Source: | Code function: | 14_2_00410130 | |
| Source: | Code function: | 14_2_00410130 | |
| Source: | Code function: | 14_2_004441F0 | |
| Source: | Code function: | 14_2_0044137E | |
| Source: | Code function: | 14_2_004413D5 | |
| Source: | Code function: | 14_2_0041D5AF | |
| Source: | Code function: | 14_2_0043A97E | |
| Source: | Code function: | 14_2_0043A97E | |
| Source: | Code function: | 14_2_0043A97E | |
| Source: | Code function: | 14_2_0042EB60 | |
| Source: | Code function: | 14_2_0042EB60 | |
| Source: | Code function: | 14_2_0042EB60 | |
| Source: | Code function: | 14_2_0042EB60 | |
| Source: | Code function: | 14_2_0042EB60 | |
| Source: | Code function: | 14_2_0042EB60 | |
| Source: | Code function: | 14_2_0042EB60 | |
| Source: | Code function: | 14_2_00401000 | |
| Source: | Code function: | 14_2_00401000 | |
| Source: | Code function: | 14_2_0043B170 | |
| Source: | Code function: | 14_2_00410118 | |
| Source: | Code function: | 14_2_00410118 | |
| Source: | Code function: | 14_2_00410118 | |
| Source: | Code function: | 14_2_00410118 | |
| Source: | Code function: | 14_2_00410118 | |
| Source: | Code function: | 14_2_004431D0 | |
| Source: | Code function: | 14_2_004431D0 | |
| Source: | Code function: | 14_2_004241E0 | |
| Source: | Code function: | 14_2_00442EB0 | |
| Source: | Code function: | 14_2_00442EB0 | |
| Source: | Code function: | 14_2_004432C0 | |
| Source: | Code function: | 14_2_004432C0 | |
| Source: | Code function: | 14_2_004012D5 | |
| Source: | Code function: | 14_2_00421333 | |
| Source: | Code function: | 14_2_00444380 | |
| Source: | Code function: | 14_2_004433B0 | |
| Source: | Code function: | 14_2_004433B0 | |
| Source: | Code function: | 14_2_0042E400 | |
| Source: | Code function: | 14_2_0042F4DD | |
| Source: | Code function: | 14_2_0042F4DD | |
| Source: | Code function: | 14_2_0042F4DD | |
| Source: | Code function: | 14_2_0042F4DD | |
| Source: | Code function: | 14_2_0040D500 | |
| Source: | Code function: | 14_2_0041F510 | |
| Source: | Code function: | 14_2_0041F510 | |
| Source: | Code function: | 14_2_00441648 | |
| Source: | Code function: | 14_2_0043C6D0 | |
| Source: | Code function: | 14_2_0041C6E0 | |
| Source: | Code function: | 14_2_00441720 | |
| Source: | Code function: | 14_2_00443720 | |
| Source: | Code function: | 14_2_0043F7E0 | |
| Source: | Code function: | 14_2_0042E870 | |
| Source: | Code function: | 14_2_00405820 | |
| Source: | Code function: | 14_2_0041C8CE | |
| Source: | Code function: | 14_2_0040E8D6 | |
| Source: | Code function: | 14_2_0040C960 | |
| Source: | Code function: | 14_2_0040E996 | |
| Source: | Code function: | 14_2_0042AA40 | |
| Source: | Code function: | 14_2_0042AA60 | |
| Source: | Code function: | 14_2_0042CA72 | |
| Source: | Code function: | 14_2_0042CA72 | |
| Source: | Code function: | 14_2_0043FAD0 | |
| Source: | Code function: | 14_2_00421B40 | |
| Source: | Code function: | 14_2_0042AC04 | |
| Source: | Code function: | 14_2_0041ECDE | |
| Source: | Code function: | 14_2_00437CA0 | |
| Source: | Code function: | 14_2_0042DE70 | |
| Source: | Code function: | 14_2_00440E3A | |
| Source: | Code function: | 14_2_0042CEDA | |
| Source: | Code function: | 14_2_00442EB0 | |
| Source: | Code function: | 14_2_00442EB0 | |
| Source: | Code function: | 14_2_00425F00 | |
| Source: | Code function: | 14_2_00428F00 | |
| Source: | Code function: | 30_2_007681E0 | |
| Source: | Memory has grown: | ||
Networking | |
|---|
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | Code function: | 13_2_004125A0 | |
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||